Provest Limited – Data Protection Policy

Effective Date: April 9th, 2025
Last Reviewed: June 12th, 2025
Policy Version: 2.0

1. Introduction

Provest Limited (“the Company”) is committed to protecting the privacy and confidentiality of personal data in compliance with the Nigeria Data Protection Act 2023, Nigeria Data Protection Regulation (NDPR) 2019, and other applicable laws governing financial institutions. This policy outlines our approach to ensuring the security, integrity, and lawful processing of personal data of customers, employees, partners, and third parties.

2. Scope

This policy applies to:

  • All personal data is processed by Provest Limited.
  • All employees, contractors, third-party service providers, and stakeholders.
  • All business operations, including customer onboarding, loan disbursement, repayment, marketing, and data analytics.

3. Legal Basis for Processing

We process personal data based on the following lawful bases:

  • Consent: Explicit consent is obtained before processing sensitive data.
  • Contractual Necessity: To fulfill contractual obligations (e.g., loan agreements).
  • Legal Obligation: To comply with regulatory and statutory requirements.
  • Legitimate Interest: For risk assessment, fraud prevention, and service improvement.

4. Types of Data Collected

We may collect the following categories of data:

  • Personal Identification: Name, date of birth, gender, BVN, national ID, passport, or driver’s license.
  • Contact Information: Address, phone number, email address.
  • Financial Information: Bank account details, income status, credit score, and employment details.
  • Transaction Data: Loan applications, disbursements, repayment history.
  • Digital Identifiers: IP address, device ID, cookies, and usage logs.
  • Biometric Data: Where applicable, for authentication purposes.

5. Data Collection and Processing Principles

Provest Limited adheres to the following data processing principles:

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability

6. Data Subject Rights

Data subjects are entitled to the following rights:

  • Right to Access: Request copies of their data.
  • Right to Rectification: Request corrections to inaccurate or incomplete data.
  • Right to Erasure: Request deletion where legally permissible.
  • Right to Object: Object to processing for direct marketing or based on legitimate interests.
  • Right to Data Portability
  • Right to Withdraw Consent
  • Right to Lodge a Complaint: With the Nigeria Data Protection Commission (NDPC).

7. Data Retention

  • All personal data shall be retained for three (3) years post-relationship termination, unless otherwise required by law.
  • After expiration, data will be anonymized or securely deleted.

8. Data Security Measures

Provest Limited implements robust technical and organizational measures, including:

  • Encrypted databases and secure servers
  • Multi-factor authentication (MFA)
  • Regular vulnerability assessments and audits
  • Access control policies
  • Staff training on cybersecurity and data protection

9. Data Sharing and Third-Party Access

  • Personal data may be shared with regulatory bodies, credit bureaus, and service providers under strict data protection agreements.
  • Cross-border data transfer is only permitted when the receiving country ensures adequate data protection or with the subject’s consent.

10. Consent Management

  • Consent is obtained via clear opt-in mechanisms.
  • Consent logs are maintained for transparency.
  • Users may opt out at any time through provided channels (e.g., email, app settings).

11. Breach Notification

  • In case of a data breach, Provest Limited will notify the NDPC and affected individuals within 72 hours, as required by law.

12. Employee Responsibilities

All staff must:

  • Handle data responsibly and by this policy.
  • Report suspected data breaches immediately.
  • Participate in mandatory annual data protection training.

13. Policy Review and Updates

This policy shall be reviewed annually or in response to:

  • Regulatory changes
  • Significant business process changes
  • Major security incidents

14. Contact Information

For inquiries, complaints, or to exercise your data rights, contact:

Data Protection Officer (DPO)
Provest Limited
Email: [email protected]
Phone: +2348125782220
Address: 2a, Lateef Jakande Road, Agidingbi, Ikeja, Lagos.

This policy reflects Provest Limited’s commitment to responsible data management, confidentiality, and customer trust.